Plattform
wordpress
Komponente
listingpro-plugin
Behoben in
2.9.4
CVE-2024-39621 describes a Path Traversal vulnerability within the ListingPro WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of ListingPro up to and including 2.9.3, and a patch is available in version 2.9.4.
The core of this vulnerability lies in the improper handling of file paths within the ListingPro plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and accessing files outside the designated directory. Successful exploitation allows for PHP Local File Inclusion (LFI). This means an attacker could include sensitive configuration files, source code, or even execute arbitrary PHP code on the server. The potential impact is significant, ranging from data breaches to complete server compromise. The ability to execute arbitrary code opens the door to further attacks, including persistent backdoors and lateral movement within the network.
CVE-2024-39621 was publicly disclosed on August 1, 2024. While no active exploitation campaigns have been definitively confirmed, the Path Traversal vulnerability is a well-understood attack vector, and public proof-of-concept exploits are likely to emerge. It is not currently listed on CISA KEV. The ease of exploitation, combined with the widespread use of WordPress and plugins, makes this a potentially attractive target for malicious actors.
WordPress sites utilizing the ListingPro plugin, particularly those running versions prior to 2.9.4, are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited access controls and a higher concentration of vulnerable plugins. Sites with sensitive data or those used for e-commerce are also at higher risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/listingpro/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/listingpro/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.16% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-39621 is to immediately upgrade the ListingPro plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) rule to block suspicious file inclusion attempts (e.g., patterns containing '../'), or carefully reviewing and sanitizing all user-supplied input related to file paths. After upgrading, verify the fix by attempting to access files outside the intended directory via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin ListingPro a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 2.9.3. Consulte la documentación del plugin para obtener instrucciones sobre cómo actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-39621 is a Path Traversal vulnerability affecting the ListingPro WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using ListingPro versions 2.9.3 or earlier. Upgrade to 2.9.4 to resolve the issue.
Upgrade the ListingPro plugin to version 2.9.4 or later. As a temporary workaround, implement WAF rules to block path traversal attempts.
While no active exploitation has been confirmed, the vulnerability is well-understood and exploitation is likely.
Refer to the official ListingPro website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.